Professional Documents
Culture Documents
Veritas NetBackup102 Sheltered Harbor Solution Guide
Veritas NetBackup102 Sheltered Harbor Solution Guide
Sheltered Harbor
NetBackup 10.2
Veritas Sheltered Harbor Solution Guide
Last updated: 2023-03-27
Legal Notice
Copyright © 2023 Veritas Technologies LLC. All rights reserved.
Veritas, the Veritas Logo, and NetBackup are trademarks or registered trademarks of Veritas
Technologies LLC or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners.
This product may contain third-party software for which Veritas is required to provide attribution
to the third party (“Third-party Programs”). Some of the Third-party Programs are available
under open source or free software licenses. The License Agreement accompanying the
Software does not alter any rights or obligations you may have under those open source or
free software licenses. Refer to the Third-party Legal Notices document accompanying this
Veritas product or available at:
https://www.veritas.com/about/legal/license-agreements
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Veritas Technologies
LLC and its licensors, if any.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq.
"Commercial Computer Software and Commercial Computer Software Documentation," as
applicable, and any successor regulations, whether delivered by Veritas as on premises or
hosted services. Any use, modification, reproduction release, performance, display or disclosure
of the Licensed Software and Documentation by the U.S. Government shall be solely in
accordance with the terms of this Agreement.
http://www.veritas.com
Technical Support
Technical Support maintains support centers globally. All support services will be delivered
in accordance with your support agreement and the then-current enterprise technical support
policies. For information about our support offerings and how to contact Technical Support,
visit our website:
https://www.veritas.com/support
You can manage your Veritas account information at the following URL:
https://my.veritas.com
If you have questions regarding an existing support agreement, please email the support
agreement administration team for your region as follows:
Japan CustomerCare_Japan@veritas.com
Documentation
Make sure that you have the current version of the documentation. Each document displays
the date of the last update on page 2. The latest documentation is available on the Veritas
website:
https://sort.veritas.com/documents
Documentation feedback
Your feedback is important to us. Suggest improvements or report errors or omissions to the
documentation. Include the document title, document version, chapter title, and section title
of the text on which you are reporting. Send feedback to:
NB.docs@veritas.com
You can also see documentation information or ask a question on the Veritas community site:
http://www.veritas.com/community/
https://sort.veritas.com/data/support/SORT_Data_Sheet.pdf
Contents
■ Resilience Planning
■ Certification
Data Vaulting
Institutions back up critical customer account data each night in the Sheltered
Harbor standard format, either managing their own vault or using their service
provider. The data vault is encrypted, unchangeable, and completely separated
from the institution’s infrastructure.
Resilience Planning
Institutions prepare the business and technical processes and key decision
arrangements to be activated in the case of a Sheltered Harbor event; where all
other options to restore critical systems - including backups - have failed. Sheltered
Harbor resilience plan enables the participating financial institution to quickly recover
the critical account data from the vault and restore two critical services: customer
access to account balance information, and access to funds against those balances.
Certification
Participating institutions adopt a robust set of Sheltered Harbor prescribed
safeguards and controls, which are independently audited for compliance with the
Sheltered Harbor standards. Upon successfully completing the requirements for
Data Vaulting, the institution will be awarded Sheltered Harbor Data Protected
certification and an accompanying seal, communicating that their customer account
data is protected. Additional certification is awarded to organizations that
demonstrate completed and tested resilience plans.
Archive data vaulting using Veritas Alta Recovery Vault for Sheltered
Harbor
In this process, the selected data is stored on the cloud using immutable storage
and the original files are available on the source. To start the data vaulting operation,
the backup policy needs to be configured on the NetBackup primary server. When
you start the data vaulting operation, the NetBackup client software on your computer
sends the data to be backed up to the NetBackup media server. The media server
then deduplicates and writes the data to a supported immutable cloud object storage.
After the data backup is successful, the Sheltered Harbor solution sends an
attestation message to Sheltered Harbor monitoring log.
The Sheltered Harbor solution on the NetBackup client initiates the backup of
encrypted data. The following diagram depicts the process of data backup to Veritas
Alta Recovery Vault:
Figure 1-1 Archive data vaulting using Veritas Alta Recovery Vault for
Sheltered Harbor
Production Domain
Primary
Server
NetBackup Client
1 3
Bar 4
UI
Veritas Alta
Input Storage NetBackup Transfer Storage
MSDP-C Server Recovery Vault
(Data Extraction) Sheltered Harbor
Cloud Provider KMS (Archive Volumes & Secure
Solution
Envelope)
Post Processing 5
2
Private / Public Keys Sheltered Harbor
Monitoring Log
About Veritas Sheltered Harbor solutions 10
About Veritas Alta solution for Sheltered Harbor
5 Sheltered Harbor monitoring log: The Sheltered Harbor monitoring log shows
the attestation message as a proof of a successful completion of the daily data
vaulting process.
Figure 1-2 Archive restoration using Veritas Alta Recovery Vault for
Sheltered Harbor
Production Domain
NetBackup Client
Primary
Server
Note: Ensure that you specify the correct recovery storage path while you
restore the backup data files using the BAR GUI or web UI.
About Veritas Sheltered Harbor solutions 12
About Veritas NetBackup for Sheltered Harbor
Note: The decryption of data by the solution is required only for data recovery
and verification test, or for service restoration by a self-restorer.
4 Restored data storage: Once you perform the data restoration using the
Sheltered Harbor solution, the data files are decrypted and stored in the restored
data storage.
The data restoration using the Sheltered Harbor solution can be done on a
completely isolated NetBackup client that does not have a connectivity with a
primary server. Such isolated NetBackup client can be installed by skipping
host certificate deployment during NetBackup client install. The data restoration
needs a connectivity with KMS where envelope decryption key is stored.
Note: Ensure that you specify the correct restoration storage path while
performing the data restoration operation.
The Sheltered Harbor solution on the NetBackup client initiates the backup of
encrypted data. The following diagram depicts the process of data vaulting to CRD
domain:
About Veritas Sheltered Harbor solutions 14
About Veritas NetBackup for Sheltered Harbor
Figure 1-3 Data vaulting using Veritas NetBackup for Sheltered Harbor
Cyber Resillient
Production Domain Domain (CRD)
Primary
Primary Server
Server
NetBackup Client
6
1 Ba 3
r
Input Storage UI
NetBackup
Transfer Storage MSDP Storage
(Data Extraction) MSDP Immutable
Sheltered Harbor 5
Solution 4 storage
Cloud Provider
KMS
Post
2 Processing 7 Sheltered Harbor
Private /
Public Keys Monitoring Log
4 Backup in production domain: The encrypted archive volumes along with secure
envelope get backed up on a production MSDP storage unit first. A unique
keyword is generated and is used during backup. This keyword identifies the
backup image during restore and it can be seen using –-report command
option. For example, ‘SH-<random number>’ keyword is generated during
backup that is further used on the BAR UI to see the backup files.
Note: The Backup operation runs successfully without configuring IRE import
notification.
5 Air gap: The air gap restricts network access to data stored on MSDP server
running in CRD domain except during time-frame when replication occurs from
production MSDP to CRD MSDP server. Once the encrypted archive volumes
along with secure envelope get backed up in production domain, NetBackup
initiates replication of that backup image only when logical air gap is closed.
6 Import in CRD domain: Once the image is replicated to CRD domain, the import
operation imports the image in CRD domain ensuring that a copy of encrypted
archive volumes and secure envelope, is made on immutable storage in CRD
domain. After successful import, a notification is sent to Production Primary
server.
7 Sheltered Harbor monitoring log: The Sheltered Harbor solution keeps polling
for import notification from CRD domain. Once it receives that an attestation
message as a proof of a successful completion of the daily data vaulting process
is sent to Sheltered Harbor monitoring Log.
NetBackup Client
Primary
Server
Recovery
Storage Medium (Hard
Disk/Pendrive) Storage Medium (Hard domain
1 Disk/Pendrive)
Backup Archive
Restore UI
Institution
Recovery Restored 5
MSDP-C Server Storage NetBackup Data Storage
(Archive Volumes Sheltered
& Secure 2 Harbor 4
Envelope) Solution
Cloud
Provider KMS
Private /
Public Keys
Note: Make sure that the recovery storage path should be empty while restoring
the backup data files because the data files cannot be overwritten.
2 Recovery storage: It contains the recovered encrypted data files along with
the secure envelope. You can use any portable medium (such as Pen drive,
hard disk) to store the recovered data.
Note: Make sure that you specify the correct recovery storage path while
restoring the backup data files. Use the NetBackup Backup Archive Restore
UI to restore the data.
About Veritas Sheltered Harbor solutions 17
About Veritas NetBackup for Sheltered Harbor
3 External or cloud provider KMS: The Sheltered Harbor solution decrypts the
data encryption key (DEK) with the help of a configured KMS. The DEK is
further used to decrypt the recovery storage data. It ensures that the
encryption/decryption keys do not leave the KMS boundaries. If cloud KMS is
not configured, you can use on-premises KMS.
4 Restored data storage: Once you perform the data restoration using the
Sheltered Harbor solution, the data files are decrypted and stored in the restored
data storage.
The data restoration using Sheltered Harbor solution can be done on a
completely isolated NetBackup client that does not have a connectivity with a
primary server. Such isolated NetBackup client can be installed by skipping
host certificate deployment during NetBackup client install. The data restoration
needs a connectivity with KMS where envelope decryption key is stored.
Note: Ensure that you specify the correct restoration storage path while
performing the data restoration operation.
5 Recovery domain: Once the files are stored in the restored data storage, you
can transfer the data to recovery domain by using any portable medium (such
as Pen drive, hard disk).
Figure 1-5 Archive recovery in Cyber Resilient Domain (CRD) and restoration
in restoration environment
CRD domain Recovery domain
Primary
Server NetBackup Client
3
Storage Medium 4 5
1 2 (Hard Disk/Pendrive)
Cloud-prpvider
KMS
Private / Public
Keys
Note: Make sure that you specify the correct recovery storage path while
recovering the backup data files. Use the NetBackup Backup Archive Restore
UI to recover the data or NetBackup web UI.
3 Data transfer: Use any portable medium (such as Pen drive, hard disk) to
transfer the encrypted data files to the Recovery domain to initiate data
decryption by using Sheltered Harbor solution.
About Veritas Sheltered Harbor solutions 19
Restore backup data using NetBackup web UI
4 External or cloud provider KMS : The Sheltered Harbor solution decrypts the
data encryption key (DEK) with the help of a configured KMS. The DEK is
further used to decrypt the recovery storage data. It ensures that the
encryption/decryption keys do not leave the KMS boundaries. If cloud KMS is
not configured, you can use on-premises KMS.
5 Restored data storage: Once the recovered data available in Restoration
environment, the Sheltered Harbor solution is run to perform the data restoration
which decrypts archived volumes and extract data files and store in the restored
data storage.
The data restoration using Sheltered Harbor solution can be done on a
completely isolated NetBackup client that does not have a connectivity with a
primary server. Such isolated NetBackup client can be installed by skipping
host certificate deployment during NetBackup client install. The data restoration
needs a connectivity with KMS where envelope decryption key is stored.
Note: Ensure that you specify the correct restoration storage path while
performing the data restoration operation.
Note: For UNIX, use the standard policy type. For Windows, use the
MS-Windows policy type.
About Veritas Sheltered Harbor solutions 20
Restore backup data using NetBackup web UI
■ Restore type
You need to use normal backups type.
5 Click Next.
6 Select the Start date and End date.
7 Select Backup Keyword that was used during backup. You can run the
--report command option to see the keyword.
8 Select the files that needs to be restored using the file explorer.
Note: All the files in the image need to be selected for restore. If they are not
selected, the Sheltered Harbor solution does not recover the files.
9 Click Next.
10 Select Restore target options as required. If Restore everything to a
different location is selected, then provide the directory used as Recovery
storage path for Sheltered Harbor solution.
11 Click Next.
12 Review the recovery settings and then click Start recovery.
Chapter 2
Prerequisites to configure
Sheltered Harbor solutions
This chapter includes the following topics:
NetBackup installation
The NetBackup Sheltered Harbor solution is available on all NetBackup server
platforms.
The following are the steps to install NetBackup primary server, media server, and
client.
Step Description
Step Description
System requirements
Review the following system requirements for the NetBackup Sheltered Harbor
solution:
■ NetBackup primary server: Version 10.2
■ NetBackup media server: Version 10.2
■ NetBackup client: Version 10.2
Note: NetBackup KMS cannot be used for the Sheltered Harbor solution
configuration.
Note: CRL downloading is not allowed on NetBackup client by default, hence one
should enable it by setting ALLOW_SH_EKMS_CRL_DOWNLOAD config flag to
1 to make SSL connection to an external KMS server (default value is 0).
Step Description
Step 2 To create a policy, see the Creating backup policies chapter in NetBackup
Administrator’s Guide, Volume 1.
While creating the policy, you must select the user backup schedule to configure
the policy. For the NetBackup Sheltered Harbor solution, the retention period
must be greater than 2 days.
Note: For UNIX, use the standard policy type. For Windows, use the
MS-Windows policy type.
Note: Ensure that the client host name used in backup policy is exactly same
as CLIENT_NAME field in client's NetBackup configuration.
Note: You must get the license from the Sheltered Harbor before configuring the
NetBackup Sheltered Harbor solution and make sure to renew the license before
it expires.
Step Description
Step 1 To configure Auto Image Replication (A.I.R.), see About Auto Image
Replication (A.I.R.).
Step 3 To configure the Isolated recovery Environment (IRE) for Sheltered Harbor
solution.
Step 4 To create a policy, see the Creating backup policies chapter in NetBackup
Administrator’s Guide, Volume 1.
While creating the policy, you must select the user backup schedule to
configure the policy. For the NetBackup Sheltered Harbor solution, the
retention period must be greater than 2 days.
Note: For UNIX, use the standard policy type. For Windows, use the
MS-Windows policy type.
Note: Ensure that the client host name used in backup policy is exactly
same as CLIENT_NAME field in client's NetBackup configuration.
bpsetconfig> SLP.ENABLE_IMPORT_CONFIRMATION = 1
2 Add IRE primary server as Trusted Master in production primary. Use the
following command:
# bpsetconfig
4 Add production primary server as remote primary server in IRE domain. Use
the following command:
# nbemmcmd -addhost -machinename <Production primary server name>
-machinetype remote_primary -netbackupversion <NetBackup version>
-operatingsystem <OS name>
5 Deploy HostID certificate for IRE primary server from Production Primary server.
Use the following command:
# nbcertcmd -getCACertificate -server <production primary server>
Note: If you are using ECA enroll certificate on IRE primary server then, run
the following command.
# nbcertcmd -enrollCertificate -server <production primary server>
Prerequisites to configure Sheltered Harbor solutions 26
Prerequisites to configure NetBackup solution for Sheltered Harbor
Configuration of Flex
Veritas NetBackup solution for Sheltered Harbor is supported on Veritas Flex
Appliance 2.1 and later.
To configure Flex Appliance for Sheltered Harbor solution
1 Configure Flex Appliance. See the article.
2 Configure NetBackup primary server, media server, and WORM storage server
instance on Flex Appliance. See the article.
3 Configure Isolated Recovery Environment (IRE) on Flex Appliance. See the
article.
4 Configure IRE for Sheltered Harbor solution.
See “Configuration of Isolated Recovery Environment (IRE)” on page 24.
5 NetBackup client can be installed on a separate host and associated with the
NetBackup Flex primary server instance.
Configure the NetBackup for Sheltered Harbor solution on the same client.
Chapter 3
Veritas Sheltered Harbor
solution workflow
This chapter includes the following topics:
After you carry out the configuration, registration, backup, or restore operations,
see the following directory paths to view the logs:
Windows: NetBackup_install_path\NetBackup\logs\nbshvault
UNIX: /usr/openv/netbackup/logs/nbshvault
Note: The log directory is not created by default. To do so, you need to run the
mklogdir command on the NetBackup client.
Veritas Sheltered Harbor solution workflow 28
How to use Veritas Sheltered Harbor solutions
Note: Use the interactive mode in case you want to run the NetBackup Sheltered
Harbor solution manually.
Note: To perform operation using non-interactive mode, JSON files are required
to pass the input to the NetBackup Sheltered Harbor solution.
Configure operation
Configuration operation is the first step to be done to configure the Sheltered Harbor
solution.
Note: Ensure that the configure and register operations are completed before you
perform the backup or restore operations.
If you have provided the config-dir option during configuration, you should use
the config-dir option in the command as well.
2 Enter the Institution ID.
3 Enter the following logging information about the Sheltered Harbor solution:
■ Maximum log file size (default size is 10 MB).
The Sheltered Harbor solution rotates the log when the log file size exceeds
to the maximum log file size.
■ Verbose value (default value is 2).
You need to specify the verbose value between 2 to 5 to see warning, and
critical level message in the log file. To see the debug level messages,
specify the verbose value as 6.
Note: Ensure that you have the read permissions to the license file to run the
nbshvault command.
5 Enter monitoring log type such as Live monitor or Stage monitor to send an
attestation message after successful data vaulting.
6 Select the solution type such as Veritas Alta™ Solution for Sheltered Harbor
or Veritas NetBackup™ Solution for Sheltered Harbor.
Note: Veritas Alta™ Solution for Sheltered Harbor is the default option
selected.
Veritas Sheltered Harbor solution workflow 30
How to use Veritas Sheltered Harbor solutions
7 Enter the NetBackup API key path when you select the solution type as Veritas
NetBackup™ Solution for Sheltered Harbor.
For more information about NetBackup API key, see https://www.veritas.com
Note: You need to create NetBackup API key using NetBackup web UI
beforehand with the required RBAC permissions. You must add the NetBackup
API key in the text file with the following format <primary server
name>:<NetBackup API key>.
Ensure that you have the read permissions to the API key path.
Note: The storage unit value in the primary server backup policy needs to be
configured with the immutable cloud storage bucket or with the storage lifecycle
policy replicating the image to IRE domain on immutable storage.
9 Enter the following details for KMIP based KMS and Azure key vault:
Select KMIP based KMS or Azure Key Vault.
For example, (KMIP, Azure).
If you enter KMIP based KMS, do the following:
■ Enter the KMS server name:
■ Enter the KMIP port [5696 is default]:
■ Enter the absolute path of certificate file:
■ Enter the absolute path of private key file:
■ Enter the absolute path of CA certificate file:
■ Enter the envelope private encryption key ID:
■ Enter the envelope public encryption key ID:
■ Enter the envelope private sign key ID:
■ Enter the envelope public sign key ID:
If you enter Azure Key Vault, do the following:
■ Enter Vault URI of Azure Key Vault:
■ Enter an authentication option for Azure Key Vault:
■ 1. Managed Identity
Veritas Sheltered Harbor solution workflow 31
How to use Veritas Sheltered Harbor solutions
#nbshvault --configure
This command configures Sheltered Harbor solution.
Do you want to continue ? [y,n] (y)
Enter the institution ID:
===== Logging =====
Enter the maximum log file size in MB [10 MB is default]:
Enter the verbose value [2 is default]: 5
===== Solution Type =====
Enter Sheltered Harbor solution type
1.Veritas Alta™ Solution for Sheltered Harbor
2.Veritas NetBackup™ Solution for Sheltered Harbor [1,2] [1 is default] : 2
===== License =====
Enter the Sheltered Harbor license file path:
===== Sheltered Harbor Monitoring Log Type =====
Enter monitoring log type for sending an attestation message
[1 is default] : 2
===== NetBackup Artifact Information =====
Enter the primary server policy: test_air_2
Enter the NetBackup apiKey path: /sharbor/netbackup_apiKey
===== KMS =====
Do you want to configure KMIP based KMS or Azure Key Vault ?
[KMIP, Azure] [KMIP is default] :
Enter the KMS server name: ekms.nbusec.vxindia.veritas.com
Enter the KMIP port [5696 is default]:
Enter the absolute path of certificate file: /sharbor/cert_chain.pem
Enter the absolute path of private key file: /sharbor/key.pem
Enter the absolute path of CA certificate file: /sharbor/cacerts.pem
Veritas Sheltered Harbor solution workflow 32
How to use Veritas Sheltered Harbor solutions
Register institution
After configuration with the Sheltered Harbor solution, you must register the
institution with the Sheltered Harbor monitoring log.
Note: Ensure that you have configured the Sheltered Harbor solution before you
register the institution.
Use the following procedures to register the institution with the Sheltered Harbor
monitoring log.
Registration procedure
1 Run either of the following commands on the command prompt:
■ nbshvault --register
If you have provided the config-dir option during configuration, you should use
the config-dir option in the command as well.
2 Enter the institution ID, and registration ID (provided by the Sheltered Harbor).
The following example shows the register operation:
nbshvault --register
This operation generates private key and sends registration message
to the Sheltered Harbor monitoring log.
Do you want to continue? [y,n] (y) y
Enter the institution ID:
Enter the registration key provided by Sheltered Harbor:
Institution ID is already registered.
Backup operation
Backup operation lets you back up the institution input data using interactive mode.
Use the following procedures to perform the operation.
Backup procedure
1 Run either of the following commands:
■ nbshvault -b | --backup
If you have provided the config-dir option during configuration, you should
use the the same option for the command as well.
2 Enter the Institution ID.
3 Enter the input storage path and transfer storage path.
Note: Use the --force option along with --backup when the backup JSON
file is provided to continue with backup even though attestation for the last
backup has failed.
The backup and attest command options cannot run in parallel as they process
the same set of files.
nbshvault -b
This command backs up the data as per the Sheltered Harbor
compliance specifications. Do you want to continue? [y,n] (y)
Enter the institution ID:
Enter the input storage path:
Enter the transfer storage path:
Restore operation
Restore operation in the Sheltered Harbor solution lets you decrypt the restored
data files to its original state. The restore operation can be done using the following
two methods:
■ Archive retrieval
Archive retrieval retrieves specified archive (encrypted volumes and a secure
envelope) to recovery storage using BAR GUI or NetBackup web UI.
■ Data restoration
Data restoration process decrypts data and validates integrity of restored files.
This can be done by restore operation using the interactive mode.
Veritas Sheltered Harbor solution workflow 34
How to use Veritas Sheltered Harbor solutions
To perform restore operation, first you need to restore the data using the Backup
Archive Restore (BAR) GUI or web UI to the recovery storage location. You can
then perform the restore operation using the interactive mode.
Use the following procedure to perform the restore operation.
Restore procedure
1 Run either of the following commands on the command prompt:
■ nbshvault -r | --restore
If you have provided the config-dir option during configuration, you should
use the same option in the command.
2 Enter the institution ID.
3 Enter the recovery storage path and restored data storage path.
The following example shows the restore operation:
nbshvault -r
This command performs data restoration as per the
Sheltered Harbor compliance specifications. Do you want to continue? [y,n] (y)
Enter the institution ID:
Enter the recovery storage path: /root/recovery_storage/
Enter the restored data storage path: /root/d4/
Attestation operation
The nbshvault --attest command option is used when the data vaulting to Veritas
Alta Recovery Vault and IRE is completed but it failed to send an attestation
message to the Sheltered Harbor monitoring log.
Use the following procedures to perform the attestation operation.
Attestation procedure
◆ Run either of the following commands on the command prompt to send the
attestation message to complete the backup operation:
■ nbshvault --attest
Refer to the NetBackup Command Reference Guide for more information about
nbcmdrun command.
Note: Run the nbshvault --report command option to fetch the backup keyword
for attestation.
The backup and attest command options cannot run in parallel as they process the
same set of files.
nbshvault --attest
Enter the institution ID: institution ID
Checking for any latest pending image for attestation
Skipping vaulting attestation as vaulting attestation is set to
false in input configuration JSON file.
Note: You must specify the path where you want to create the JSON file
templates and you have the required access to the path.
■ backup.json
■ restore.json
Veritas Sheltered Harbor solution workflow 36
How to use Veritas Sheltered Harbor solutions
Note: You must provide the correct JSON formatted file while performing the
data vaulting operation. If you are using Windows, you need to specify the
double backslash (\\) in the path.
Configuration operation
Configuration operation is performed using config.json. You have to manually
run the compliance solution with the configure option. It is a one-time activity. The
NetBackup Sheltered Harbor solution runs the daily vaulting process to backup and
restore (periodic or on demand) using already configured data.
The compliance solution stores the configuration locally on disk file and uses the
same during the backup or restore operations.
Configure the Sheltered Harbor solution using the JSON file as input:
Configure using non-interactive mode
◆ Run either of the following commands on the command prompt:
■ nbshvault --configure filename
If you have provided the config-dir option during configuration, you should use the
config-dir option in the command as well.
Register Institution
After configuration with the Sheltered Harbor solution, you must register the
institution with the Sheltered Harbor monitoring log.
Veritas Sheltered Harbor solution workflow 37
How to use Veritas Sheltered Harbor solutions
Note: Ensure that you have configured the Sheltered Harbor solution before you
register the institution.
Carry out the following step to perform backup operation to register the institution
with the Sheltered Harbor monitoring log
Register using non-interactive mode
◆ Run either of the following commands on the command prompt:
■ nbshvault --register -i institution _ID -reg-key
registration_key
If you have provided the config-dir option during configuration, you should use the
config-dir option in the command as well.
This command option lets you provide the institution ID and registration key.
Once the command is run successfully, the institution is registered to the Sheltered
Harbor monitoring log
The following example shows the register operation:
Backup Operation
A backup operation is performed using the backup.json file. The backup.json
file contains the information related to backup such as input storage path, and
transfer storage path.
Carry out the following step to perform backup operation
Backup using non-interactive mode
◆ Run either of the following commands to backup data to Veritas Alta Recovery
Vault:
■ nbshvault -b filename --force | --backup filename --force
If you have provided the config-dir option during configuration, you should use
the config-dir option in the command as well.
Veritas Sheltered Harbor solution workflow 38
How to use Veritas Sheltered Harbor solutions
Note: Use --force option along with --backup when provided Backup Json file, to
continue taking backup even if attestation for last backup is failed.
Note: The backup and attest command options cannot run in parallel as they
processes same set of files.
nbshvault -b /root/NEW_TEMP/backup.json
Performing license validation.
License validation is successful.
Checking for any latest pending image for attestation
No latest pending image found for attestation.
Started backup operation
Backup operation is successful.
The requested operation was successfully completed
Restore Operation
Restore operation in the NetBackup Sheltered Harbor solution lets you decrypt the
restored data files to its original state. The Restore operation cab be done using
the following two methods:
■ Archive retrieval
Archive retrieval retrieves specified archive (encrypted volumes and a secure
envelope) to recovery storage using BAR GUI or NetBackup web UI.
■ Data restoration
Data restoration process decrypts data and validates integrity of restored files.
This can be done by restore operation using the non-interactive mode.
A restore operation is performed using restore.json. The restore.json file contains
the information related to restore such as recovery storage path, and restored data
storage path.
To perform restore operation, you first need to download the data from the BAR
GUI and save it to the recovery storage location.
Carry out the following steps to perform restore operation.
Restore using non-interactive mode
◆ Run either of the following commands to restore the data:
■ nbshvault -r | --restore filename
Veritas Sheltered Harbor solution workflow 39
How to use Veritas Sheltered Harbor solutions
If you have provided the config-dir option during configuration, you should use the
config-dir option in the command as well.
On successful execution of the command, the data is restored to a restored data
storage path on your system.
The following example shows the restore operation:
nbshvault -r /root/NEW_TEMP/restore.json
Restore operation is successful.
The requested operation was successfully completed.
Attestation Operation
The nhshvault--attest command option is used when the data vaulting is
completed to Veritas Alta Recovery Vault but failed to send attestation message to
Sheltered Harbor monitoring log.
Use the following procedure to perform the attestation operation.
Attestation using non-interactive mode
◆ Run either of the following command on the command prompt to send the
attestation message to complete the backup operation:
■ nbshvault --attest [-k keyword] | [-i institution ID]
If you have provided the config-dir option during configuration, you should use the
config-dir option in the command as well.
Note: Run the nbshvault--reportcommand option to get the backup keyword for
attestation.
Note: The backup and attest command options cannot run in parallel as they
processes same set of files.
The following examples show how you can perform the attest operation either using
backup keyword or institution ID:
Example 1: Use backup keyword
Veritas Sheltered Harbor solution workflow 40
About key management services (KMS)
Note: NetBackup KMS cannot be used for configuring the Sheltered Harbor solution.
UNIX: /usr/openv/var/nbshvault
If you have provided the config-dir option during configuration, you should use
the config-dir option in the command as well.
By default, it shows 10 records.
■ nbshvault –report -n number
This command option is recommended if you need to specify the number of records
you want to see at the end of the command.
The following table contains the information on the data vaulting operation reports:
Field Description
Backup The backup keyword that helps to search for specific backup files or folder that
Keyword are used at the time of recovery.
Step The record step status whether it is started, completed or failed for the ongoing
Status operations.
Field Description
Status The final message or exit code at the completion of the operation. If you
message encounter any error, the exit code message is displayed.
If you have provided the config-dir option during configuration, you should use
the config-dir option in the command as well.
Chapter 4
Glossary
This chapter includes the following topics:
Terms Definitions
Archive volume An encrypted file resulting from the encryption of the compressed volumes.
A set of archive volumes for the same financial entity and business date
constitutes an archive.
Archive A set of archive volume files containing encrypted account data files as
the financial entity stores the data securely in the data vault.
Archive The daily data vaulting process that generates the archive by compressing
generation and consolidating the account data files and corresponding hash files
into the set of compressed volume. The archive gets encrypted to yield
the archive volumes.
Archive A sub-process of the daily data vaulting process to securely store the
repository archive volumes and secure envelope in the data vault.
Attestation A daily message is sent to the monitoring log during vaulting attestation
message as a proof of a successful archive repository for the financial entity.
Terms Definitions
Data restoration The process of extraction of the account data files from the archive
volumes and validating the integrity of the extracted files.
Data vaulting A daily process of extracting the data from the originating institution and
storing in the immutable storage.
Encryption keys Encryption keys are created with algorithms designed to ensure that each
key is unique and unpredictable.
Immutable vault The property of the data vault, which guarantees that the content of the
vault cannot be erased or modified in any worse-case scenario.
Input data A set of files that is provided by the originating institution to the daily
process to perform archive generation and secure repository for a financial
Institution. The fileset that includes the manifest, account data files, and
corresponding hash files.